Attackers Targeting New Java Zero-Day Flaw

Security firms are warning about a new Java zero-day vulnerability that gives attackers the ability to target the Java browser plug-in.

The flaw targets fully patched installations of Java and, for now, users can only be protected by disabling the Java browser plug-in, according to Jaime Blasco, labs manager at San Mateo, Calif.-based AlienVault Labs.

"The Java file is highly obfuscated but based on the quick analysis we did the exploit is probably bypassing certain security checks, tricking the permissions of certain Java classes," Blasco wrote in the company's security blog.

The attacks appear to be coming from Black Hole, Cool and Nuclear attack toolkits, according to the researcher who disclosed the latest Java zero-day vulnerability. The researcher said he detected hundreds of thousands of hits daily.

Java has become a big target in recent years, fueled by attacks from financially motivated cybercriminals who use automated attack toolkits. Blasco said a publicly available exploit targeting the latest zero-day vulnerability likely will be widely available in days.

Oracle, which maintains Java, has struggled to keep up with the onslaught of attacks. In August it issued an emergency update to address several vulnerabilities, but it was criticized for taking too long to address the issues.

Java can be disabled by consumers, but enterprise IT teams have a difficult time addressing Java threats because many corporate systems and applications use Java. Intrusion prevention systems and gateway devices that filter out exploit code and suspicious URLs are the best defense for zero-day attacks, said Gunter Ollmann, CTO of IOActive, Inc.

"Java itself has got a lot of vulnerabilities and bugs because it's a very flexible language," Ollmann said. "It tries to do an awful lot in the context of the end user, which opens up a lot of opportunities for end-user bashing."